We have installed and configured the haveged daemon for all cloud web hosting accounts, semi-dedicated servers and Virtual Private Servers.
Haveged daemon is designed to fill up the server’s entropy pool and make applications that use random data work such as SSL certificate, encrypted databases, etc. work much faster.
What is an entropy pool?
The entropy pool is the place where all random data is gathered. This data is used by almost every server app that needs random numbers. It’s collected from hardware interrupts triggered by mice, keyboards, disk drives or I/O devices. Servers usually have neither keyboards nor mice, so the entropy pool receives data from fewer sources.
The haveged daemon sends small CPU requests and gathers the different responses to fill up the entropy pool. Tests show that servers running the haveged daemon fill up the pool almost instantly.
How will all this affect the server’s performance and my websites?
There are two primary random data feeding sources on a server – /dev/random and /dev/urandom.
The first one waits until the entropy pool is full and then gathers the random data. It’s the default ‘go-to’ for all apps looking for random numbers. The problem is that it works only when the pool is sufficiently full. In comparison,/dev/urandom works even when the pool is nearly empty, but it returns much less random data.
A random data pool that is low on entropy can severely affect the security of the client-server communication, lowering the chance that your data will remain safe from cryptanalysis.
In contrast, an entropy pool that fills up fast will increase not only the security of the client-server communication, but also its speed.
Here is a simple test scenario – accessing encrypted data in a MySQL database using the mcrypt PHP extension.
If you want to store encrypted data in a database, the mcrypt PHP extension has to encrypt this data first. To do that, it uses random data from the entropy pool. With a fuller pool, the encryption will be better and the process will be completed faster, resulting in faster database queries. The same applies to the reverse process – accessing already encrypted information.
Our tests show that the same database works about 10 times faster when the server is running the haveged daemon.
The best part is that there are no code changes or data validation modifications required.